Apple will give popular jailbreak tool the banhammer with next iOS update

The evasi0n jailbreak uses exploits that will disappear in iOS 6.1.3.

Apple’s next minor point iOS update will fix the exploits that allow iPhones to be jailbroken with a very popular tool, according to a report from MacRumors. The 6.1.3 update, which was seeded to developers as a beta one week ago, will break the functionality of the jailbreaking tool known as “evasi0n,” meaning its creators will have to find a new way around or through the OS.

6.1.3 will already be an important security update, as it purports to fix a zombie passcode bypass bug that cropped up in iOS 6.1. When 6.1.3 is pushed out, phones with that version installed will be unable to use the evasi0n jailbreak, which had relieved almost 7 million phones of Apple’s pesky walled-garden strictures since early February in only three weeks of availability.

While that’s a lot of reach for a jailbreak in such a short time, three weeks is actually a long time for Apple to leave a jailbreak exploit open: MacRumors points out that Apple shut down Jailbreakme 3.0 for the iPhone 4 after only nine days.

Forbes reported that one of evasi0n’s handlers, David Wang, said it might be a month or more before Apple releases 6.1.3 to the general public. Wang noted to Forbes that if Apple manages to patch most of the bugs used for the jailbreaking tool, evasi0n would be “starting from scratch.”

Casey Johnston
Casey Johnston is the former Culture Editor at Ars Technica, and now does the occasional freelance story. She graduated from Columbia University with a degree in Applied Physics. Twitter@caseyjohnston

If Apple doesn't wake up and at least start loosening the restrictions when they release iOS 7, I fear there will be nowhere to go but down for their marketshare numbers. Even non-techies are beginning to see the advantages of Android's more open system.

I ditched Apple's garden for android a while ago. But I had thought they came to a "gentleman's agreement" with the jailbreakers, where they didn't work "too" hard to prevent the jailbreaking.

I don't see an upside for Apple in frustrating the techie community too much with this stuff. Is piracy really that big an issue that they need to make it so hard to jailbreak? I'd think its a drop in the bucket compared to the revenue they get from the cool apps that smart people make for these gadgets, and then sell on the app store. No jailbreak == lots of smart people will go elsewhere to make cool stuff.

I switched to Linux in 2006, but didn't want to give up my iPod. However, every update seemed designed to do nothing more than break functionality with anything but Windows/Apple:iTunes, none of which Linux supports. An iPod isn't worth that to me, if Apple wants to lock me in, I'm gone. Interesting how nothing ever changes, now it's control of your firmware rather than your hardware that's the issue, but it's still all about control.

Apple is closing a security hole in iOS. If this happens to inconvenience jailbreakers, that's not Apple's problem. Nor should it be seen by any reasonable person as a deliberate attack by Apple on the jailbreakers.

If they know about a security hole, whether or not it is being used for jailbreaking, they should absolutely fix it as soon as they can.

I ditched Apple's garden for android a while ago. But I had thought they came to a "gentleman's agreement" with the jailbreakers, where they didn't work "too" hard to prevent the jailbreaking.

I don't see an upside for Apple in frustrating the techie community too much with this stuff. Is piracy really that big an issue that they need to make it so hard to jailbreak? I'd think its a drop in the bucket compared to the revenue they get from the cool apps that smart people make for these gadgets, and then sell on the app store. No jailbreak == lots of smart people will go elsewhere to make cool stuff.

There was never any "gentleman's agreement". It's a game of cat and mouse.

And no, there really is no upside in alienating the geek community for Apple; only the technically inclined, perhaps 10% or fewer actually jailbreak. Apple's goal is to remain in total control of it's platform and they are quite willing to alienate geeks to do it. Individually of course, jailbreaking does carry certain risks like security, but usually most people doing this sort of stuff have some idea what they're getting into. Of course, even without jailbreaks, iPhones may have security risks anyways.

I appreciate the iPhone in its jailbroken form. When this avenue is closed, my iPhone 4 will become not just my first iPhone but also the last. It's not an empty, typed threat. I am seriously frustrated with iOS' lack of native functionality.

It's all in the presentation. Your jailbreak is their security patch. Apple has been playing this game for years, but it's still all about control. To Apple, if you can do what you what with your device, it's a security hole.

It just as likely that after the patch is issued, innovative jailbreakers will extract the passcode exploit fix out of the update and create a patch for it in Cydia, as they have in the past (like the initial jailbreakme exploit). This would only leave out the Japanese siri and maps update which isn't a huge loss for a great majority of iPhone users.

Can someone explain exactly WHY Apple is so tough on jailbreaking? Personally I would never buy a phone or tablet I couldn't root, and I suspect many of the millions who have downloaded evasi0n would concur.

I understand that Apple needed to fix the previous security holes where you could root your phone by visiting a website, but evasi0n requires so much user interaction it can't really be a problem. So why is Apple killing off such a big market?

A crucial difference is that "jailbreakme" was based on a vulnerability that enabled severe drive-by attacks on unsuspecting users, while "evasi0n" needs to be applied deliberately by the user of the device.

So plugging the "jailbreakme" vulnerability was absolutely vital for all users' security, while the elimination of the "evasi0n" mechanism (which isn't even a real vulnerability) isn't really needed to protect regular users.

Jeremy W wrote:

If Apple doesn't wake up and at least start loosening the restrictions when they release iOS 7, I fear there will be nowhere to go but down for their marketshare numbers. Even non-techies are beginning to see the advantages of Android's more open system.

And nobody is supposed to notice that Android has become the primary petri dish for mobile malware at the same time?

The restrictions in iOS and in the App Store on the one hand and the "openness" on the Android side are clearly the main reason why iOS is substantially more secure than Android. And while that may not be the main priority for all users, it still is for many of them, if not for most.

Jailbreaks are implemented via <em>security exploits.</em> If you can run a kernel exploit and root your device, then someone with malicious intent certainly can. I'm enjoying my now-Jailbroken iPod Touch right now, but I certainly don't blame Apple for doing their job and <em>patching security vulnerabilities.</em>

It's the same cat-and-mouse game that is computer security. The only difference is some people are receiving a benefit from the open exploits. I look at it as a good thing. The Jailbreak dev community has an incentive to find security holes as a means of rooting the device, and Apple patches the issue. In the meantime, everyone who wants to can get some fun extras.

A crucial difference is that "jailbreakme" was based on a vulnerability that enabled severe drive-by attacks on unsuspecting users, while "evasi0n" needs to be applied deliberately by the user of the device.

So plugging the "jailbreakme" vulnerability was absolutely vital for all users' security, while the elimination of the "evasi0n" mechanism (which isn't even a real vulnerability) isn't really needed to protect regular users.

The JB community patched (if you jailbroke your phone) the jailbreakme vulnerability nearly a month and a half before Apple issued an update that did the same thing. You were more secure for that time period if you were a jailbreaker than a non-jailbreaking customer.

@Matt Wallis:There may be more malware in Android - do you have statistics or urban legends on that? And no, Google is not a reliable source - but I'd rather deal with a platform that leaves me choice rather than a nanny platform that tells me how I can use my device in every way. I'm a grown-up adult (55 yrs old and probably more experienced than you) and I dumped Apple because it's not about choice, it's about doing it "the Apple way".

The restrictions in iOS and in the App Store on the one hand and the "openness" on the Android side are clearly the main reason why iOS is substantially more secure than Android. And while that may not be the main priority for all users, it still is for many of them, if not for most.

Er no. That's rubbish.

If a user wishes to unlock a phone or sideload apps from other sources they need to know that they have a higher risk of inadvertently installing malware. But giving users the choice to unlock has no impact on the overall security of the platform as long as it requires physical access to the device. A drive-by jailbreak that can be done remotely needs to be fixed. A jailbreak that needs the phone to be tethered through USB while a particular program is run does not.

A crucial difference is that "jailbreakme" was based on a vulnerability that enabled severe drive-by attacks on unsuspecting users, while "evasi0n" needs to be applied deliberately by the user of the device.

So plugging the "jailbreakme" vulnerability was absolutely vital for all users' security, while the elimination of the "evasi0n" mechanism (which isn't even a real vulnerability) isn't really needed to protect regular users.

The JB community patched (if you jailbroke your phone) the jailbreakme vulnerability nearly a month and a half before Apple issued an update that did the same thing. You were more secure for that time period if you were a jailbreaker than a non-jailbreaking customer.

Jailbreaks break most of the iOS security infrastructure, particularly the code signing checks, so this would have been a classic case of getting out of the frying pan and into the fire.

Can someone explain exactly WHY Apple is so tough on jailbreaking? Personally I would never buy a phone or tablet I couldn't root, and I suspect many of the millions who have downloaded evasi0n would concur.

I understand that Apple needed to fix the previous security holes where you could root your phone by visiting a website, but evasi0n requires so much user interaction it can't really be a problem. So why is Apple killing off such a big market?

Why is Apple killing off this market? First, as others have said, they're doing this to kill off a security vulnerability, which is important even if it's not easily exploitable.

Second, because it's not a market, at least not an important one for Apple. Sure, this pisses off the tweakers and the rooters. (Disclosure: I used to be one of them.) But Apple never promised that iOS would be tweakable, and they're going to be most worried about their most important customers: the ones who are going to stick with Apple products whether or not they can jailbreak them. Apple would rather serve the people who say, "More consistent music controls? Great," than the ones who say, "I can't do it my way? I'm switching to Android."

People who think iOS should be tweakable: You have a wonderfully valid opinion. But you'd be better off just buying an Android that you'll be happy with instead of complaining and hoping for a "solution" to iOS's rigidity.

I ditched Apple's garden for android a while ago. But I had thought they came to a "gentleman's agreement" with the jailbreakers, where they didn't work "too" hard to prevent the jailbreaking.

I don't see an upside for Apple in frustrating the techie community too much with this stuff. Is piracy really that big an issue that they need to make it so hard to jailbreak? I'd think its a drop in the bucket compared to the revenue they get from the cool apps that smart people make for these gadgets, and then sell on the app store. No jailbreak == lots of smart people will go elsewhere to make cool stuff.

A jailbreak is a security breach, it would be irresponsible for Apple to leave one open when they have the ability to close it.

@tylerwayne:You hit it in one. I was an Apple fanboy from 2002-2006, and I bailed because I was seeing one after another "security updates" that were nothing more than a way for Apple to push out controls. It's not a market, but it's my choice, so I chose with my wallet, I moved to Linux and Android. Let Apple have the "I don't want to know how it works, I just want to push buttons" crowd. My grandma's been dead for 40 years, but she could run an iDevice. Me, I like to be able to configure things my way, not let Apple tell me what I want.

I really don't get the vibe in so many comment threads about jailbreaking, that is all about "Apple is holding my device hostage and without a Jailbreak it is useless".

I do own iPods since 2004, and and iPhone and iPad since 2011. I have yet to come into a situation where these devices could not perform a task because of Apples walled garden. Everything I did want to do with one of the devices could be done fine without Jailbreak.

I do respect everybody coming from the direction of Richard Stallman who rejects closed software for principal reasons, that is not my line of argument here. I just want to know, which use cases do need a jailbroken device as I have yet to encounter one (pirating software would be such a use case obviously, but this does not appeal to me).

But then I just can see my side of the things and I would like to know what are the use cases that drive people to jailbreak their iDevice or drive them away from the iOS platform entirely.

@Y3k-Bug:How do you define a security breach? I have a UEFI compliant motherboard in my workstation, which according to Microsoft means I CAN use secure boot, but I don't have to. If I did so, I couldn't run Linux. But I can disable UEFI and load Linux, which I consider much more secure than Windows. At least I have the choice, which is more than Apple wants to give me. A security breach is in the eye of the beholder in many cases. I refuse to let Apple define it.

@tylerwayne:You hit it in one. I was an Apple fanboy from 2002-2006, and I bailed because I was seeing one after another "security updates" that were nothing more than a way for Apple to push out controls. It's not a market, but it's my choice, so I chose with my wallet, I moved to Linux and Android. Let Apple have the "I don't want to know how it works, I just want to push buttons" crowd. My grandma's been dead for 40 years, but she could run an iDevice. Me, I like to be able to configure things my way, not let Apple tell me what I want.

You moved to Android before it was released in reaction to "control" policies for a product that Apple hadn't yet released? I guess this makes you some sort of smartphone hipster.

Smart phone newbies (basically anyone that didn't own a Blackberry) need to realize that the "appstore" is a recent invention. When all you had was Blackberry, you bought from 3rd party companies that were professional (Handigo), downloaded from getjar, sourceforce, or even personal websites. It wasn't a big deal because the granularity of the security functions on a blackberry made it likely you could wall off the app.

The iphone appstore makes money for Apple. (Most iphone app developers are lucky to net minimum wage.) Apple will never give up the noose it has around the sheeple's collective necks.

Apple could make a secure iphone and allow side-loading if they wanted. Everyone else can.

I ditched Apple's garden for android a while ago. But I had thought they came to a "gentleman's agreement" with the jailbreakers, where they didn't work "too" hard to prevent the jailbreaking.

I don't see an upside for Apple in frustrating the techie community too much with this stuff. Is piracy really that big an issue that they need to make it so hard to jailbreak? I'd think its a drop in the bucket compared to the revenue they get from the cool apps that smart people make for these gadgets, and then sell on the app store. No jailbreak == lots of smart people will go elsewhere to make cool stuff.

Techies will jailbreak it again in a matter of days. The remaining 99.99% of users won't notice, won't care.